style="display:inline-block;width:300px;height:250px"
data-ad-client="ca-pub-5935214489160196"
data-ad-slot="8007533899">

Windows NT保護子系統

() SUBSYSTEM()Windows NT(POPUP MENU) \WINNT\SYSTEM32\*.SYSNTDevice DriverSYSSubsystemImage doesnt require a subsystem()Win32 GUI()Win32 Console Mode () () () Inside NT Second Edition Creating Process()EXE.Windows NT Executive Process Object Inside Windows NT Second EditionHint(()()()) () ()NT (1)CMD.EXE:*.BATDOS Command(:DIR..etc)CMD.EXEAUTOEXEC.BATDOS BOX?NTDOS BOXCMD.EXECMD.EXEDOS BOXCMD.EXEDOSCOMMAND.COMCOMMAND INTERPRETER (2)NTVDM.EXE:DOS BOXDOSNTVDM.EXEDOSDOSNTVDM.EXEDOS DOSWin16 NTVDM.EXEWin16 (3)Win 32Windows NTWin32POSIXOS/2 () ()EXE DLL Services.exe Service Controller Process Winlogon.exe Logon Process Smss.exe Session Manager Process Psxss.exe POSIX Subsystem Process OS2ss.exe OS/2 Subsystem Process Csrss.exe Win32 Subsystem Process Ntdll.dll Internal Support Functions and System Service Dispatch stubs to Executive Functions Kernel32.dll Win32 Subsystem DLLs User32.dll GDI32.dll Psxdll.dll POSIX Subsystem DLL NTOSKRNL.EXE Executive and Kernel Hal.dll Hardware Abstraction Layer Win32k.sys Win32 User and GDI Kernel-mode Components () Win32 Windows NTWin32Win324Process Process PID Pri System 0x02 8 Smss 0x19 B Csrss 0x21 D Idle 0x00 0 Win32Windows NTWin32CSRSS.EXE? […]

Windows NT系統介紹

<Step 3>WinICEidt2E0008:8013CBC0 KiReleaseSpinLock (NTOSKRNL)WinICE2EICENT2E2E () ICE2ENT DDK DriverWinICE()(DriverSource Code) SIDTWINICEWINICE WinICE Int 2d :0008:8013ddfc Int 2e :0008:8013cbc0 Int 31 : 0008:806b8044 Int 33 : 0008:80645dc4 Int 34 : 0008:806b9044 Int 37 : 0008:8013c336 WinICE Int 2d : 0008:8053c462 Int 2e : 0008:8053c471 Int 31 : 0008:8053c480 Int 33 : 0008:8053c48f Int 34 : 0008:8053c49e Int 37 : 0008:8053c4bc () 2E NTDLL.DLL2B2C : NtSetHighWaitLowThread 77F57F7C: CD 2B int 2Bh 77F57F7E: C3 ret NtSetLowWaitHighThread 77F58020: CD 2C int 2Ch 77F58022: C3 ret USER32.DLL IsWindow ……() 77E52244 8B442404 MOV EAX, 77E52248 CD2B INT 2B 2D31NT NTNT2E2ENTKernelUser Mode2EKernelNT API2E2EAPI? […]

Windows 98動態連結函式庫攔截技巧

,repair_send,Send http://www.sparc14.cc.ncku.edu.tw/e9484110(^_^) () Windows 98WSOCK32.DLL , <Step 1>LoadLibraryAws2_32.dll,ws2_32.dll <Step 2>LoadLibraryAmswsock.dllmswsock.dll <Step 3>wsock32.dllgethostbynameGetProcAddressws2_32.dll <Step 4>wsock32.dllEnumProtocolsAGetProcAddressmswsock.dll () 785C132C MOV ,EAX ,LoadLibraryA(ws2_32.dll)785C6180,785C1335,LoadLibraryA(mswsock.dll)785C6184, 785C1810 PUSH 785C63C0 785C1815 PUSH DWORD PTR 785C181B CALL DWORD PTR GetProcAddress 785C63C0gethostbyname,785C6180LoadLibraryA(ws2_32.dll),HelpGetProcAddress, GetProcAddress( HMODULE hModule, // handle to DLL module LPCSTR lpProcName // name of function ); […]